| View previous topic :: View next topic |
| Author |
Message |
LuC-iTA
Newbie cheater
![]() Reputation: 0
Joined: 14 Jul 2014
Posts: 14
|
 Posted: Thu Oct 22, 2015 6:34 am Post subject: A little help on hacking Turmoil |
 |
|
Hello.
Could someone help me to hack, or learn how, the game turmoil?
All values are accessed and wites by and to a single opcode. I need ony a single value. I've tried to explore the code with IDA...but I 'can't undestand why there's 6 switch in the code and how a can isolate the money address from others.
In the attached image that is the only opcode for all values in the game. The value found is the money value, in double.
Using pointer scan doesn't work as for other games.
Hope someone could help.
Also I've the same problem with some UE3 games, like Woolfe: The Red Hood Diaries.
Sorry if my eng is not so well written.
Thanks for your attention
| Description: |
|
| Filesize: |
211.88 KB |
| Viewed: |
29544 Time(s) |
|
|
|
| Back to top |
|
 |
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Thu Oct 22, 2015 7:05 pm Post subject: |
|
|
I would start by setting an injection to execute some code only when your money address appears.
| Code: | newmem:
cmp esi,0FB60E60
jne code
nop // break here
code:
fld qword ptr [esi]
mov al,01
fstp qword ptr [edi]
jmp return
INJECT:
jmp newmem
nop
return: |
Then set a break and trace on the NOP.
Now go through the code and see if any prior functions that provide the ESI value only execute for money.
Place your true injection there to intercept the address.
|
|
| Back to top |
|
|
LuC-iTA
Newbie cheater
![]() Reputation: 0
Joined: 14 Jul 2014
Posts: 14
|
| Posted: Fri Oct 23, 2015 3:41 am Post subject: |
|
|
Zanzer MANY thanks for your reply!!! I'll try as soon as I can! And will post my results! Your metod should work also in some UE3 games in wich all the values I find are stored in a memcpy function. I suppose.
Again many thanks!
EDIT:
I'm sorry but I'm not familiar with the trace function.
Could you help me again?
In the attached image I hope there's something useful because I don't see anything prior the nop that could be intresting. But I'm a newbie so I need to learn.
[img]imgur dot com/ezj9v91[/img]
P.S.:
Exploring the code I've found a push with a comment like "VMProtect.cpp"...Is that a useful information?
Sorry for the BIG image
EDIT2:
In the meanwhile I've made this little script. But I wait for your answer.
| Code: |
aobscanmodule(INJECT,TurmoilSteam.exe,DD 06 B0 01 DD 1F)
alloc(newmem,$1000)
alloc(_ok,4)
label(code)
label(return)
label(Money)
registersymbol(_ok)
newmem:
cmp byte ptr [_ok],1
jne code
Money:
cmp dword ptr [esi+4],409F4000 // I used this method because I don't know how to compare with double values. And cmp qword won't work.
jne code
mov [esi+4],412E847E
mov byte ptr [_ok],0
code:
fld qword ptr [esi]
mov al,01
fstp qword ptr [edi]
jmp return
INJECT:
jmp newmem
nop
return:
registersymbol(INJECT)
[DISABLE]
INJECT:
db DD 06 B0 01 DD 1F
unregistersymbol(INJECT)
unregistersymbol(_ok)
dealloc(_ok)
dealloc(newmem)
|
|
|
| Back to top |
|
|
Zanzer
I post too much
![]() Reputation: 126
Joined: 09 Jun 2013
Posts: 3278
|
| Posted: Fri Oct 23, 2015 10:14 am Post subject: |
|
|
Well, in your screenshot, I would double click the instruction at 0040A243.
Now scroll up one instruction and you'll find the call statement which retrieves your value.
One might set a break and trace there to see if you can find where ESI comes from.
Might need to travel further up the chain at instructions 00515D98 or 00519712 (or further).
It is very tedious and can become frustrating. I normally give up, so heads up! 
|
|
| Back to top |
|
|
LuC-iTA
Newbie cheater
![]() Reputation: 0
Joined: 14 Jul 2014
Posts: 14
|
| Posted: Fri Oct 23, 2015 1:07 pm Post subject: |
|
|
Your help is much appreciated and your knowledge is intresting as well as your trainers!  I'll try to do my best!
|
|
| Back to top |
|
|
JCDenton
How do I cheat?
![]() Reputation: 0
Joined: 01 Jan 2016
Posts: 1
|
| Posted: Sat Jun 04, 2016 6:08 pm Post subject: |
|
|
Hi,
I have been trying to find a trainer for this game and nothing shows up or works.
Tracing the instructions leads to the following.
| Code: |
TurmoilSteam.exe+9977 - 8B C1 - mov eax,ecx
TurmoilSteam.exe+9979 - 83 E0 3F - and eax,3F { 63 }
TurmoilSteam.exe+997C - C6 05 249E6E00 00 - mov byte ptr [TurmoilSteam.exe+2E9E24],00 { [00000000] } <-------- *Here*
TurmoilSteam.exe+9983 - 8B 44 86 04 - mov eax,[esi+eax*4+04]
TurmoilSteam.exe+9987 - 85 C0 - test eax,eax
|
This instruction: mov eax,[esi+eax*4+04] calculates the value ( money address - 8 ), but it gets called a lot of times. EAX = 8 for the money address but the values when calculated never add up to the real address.
So, I made a messy table.
To use this table: after activating the script Make sure to press "Q" every time before going to the dig site and once you are at the Oil digging screen the first thing you buy is a dowser/mole (anything of $100).
| Description: |
| works for Turmoil v0.0.0.292. |
|
Download |
| Filename: |
TurmoilSteam.CT |
| Filesize: |
4.75 KB |
| Downloaded: |
2206 Time(s) |
|
|
| Back to top |
|
|
LuC-iTA
Newbie cheater
![]() Reputation: 0
Joined: 14 Jul 2014
Posts: 14
|
| Posted: Mon Jun 06, 2016 2:55 am Post subject: |
|
|
| Many thanks!
|
|
| Back to top |
|
|
seikur0
Advanced Cheater
 Reputation: 7
Joined: 02 Aug 2013
Posts: 98
Location: Germany
|
|
| Back to top |
|
|
MasterPekar
How do I cheat?
![]() Reputation: 0
Joined: 25 Oct 2015
Posts: 5
|
| Posted: Sun Mar 12, 2017 2:18 pm Post subject: |
|
|
| JCDenton wrote: | So, I made a messy table.
To use this table: after activating the script Make sure to press "Q" every time before going to the dig site and once you are at the Oil digging screen the first thing you buy is a dowser/mole (anything of $100). |
My update for JCDenton's code/table:
+ Start money
+ Auto refresh and capture address and money each round
+ First (2000$) horse ("W") - trigger
How to use:
- Attach to game and activate root script
- Enable/Disable start money and set count
- Go to start digging
- While 2000$ - builld horse ("W" button)
- That's will set start money if enabled (default enabled) and capture valid money address
P.S. forum bugging "Cheat Engine files -> Maximum Upload Size: 8 Bytes". Please - rename TurmoilSteam.lua to TurmoilSteam.ct befor use!
| Description: |
My update for JCDenton's code/table:
+ Start money
+ Auto refresh and capture address and money each round
+ First (2000$) horse ("W") - trigger |
|
Download |
| Filename: |
TurmoilSteam.lua |
| Filesize: |
5.64 KB |
| Downloaded: |
1762 Time(s) |
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
